There is no question that the uptake in cloud services and influx of connected devices is creating a more complex environment for implementing security. This is illustrated by the fact that CSO Online estimates that a typical enterprise is evaluating or deploying as many as 75 different security products to cover the many different aspects of security.
With so much emphasis on the latest and greatest firewalls or threat detection systems, one solution often overlooked to improve a company’s security posture is the network itself. What’s ironic is that with most breaches it’s the network design that gets organizations into trouble.
Why? Since many networks today are flat, a hacker can make their way onto the network through an unsuspecting user or unattended IoT device, and once they are in they have an IP interface – and therefore with relatively little effort, the IP network topology can be discovered. Ultimately, this allows the hacker to very-carefully navigate their way to the organization’s “crown jewels.”
This was illustrated in a proof of concept hack where, due to the hospital’s flat network, researchers were able to hack into the network, then quite easily discover and penetrate an ultrasound machine. The next step was to download and manipulate patient files, then execute ransomware.
Investing in the right network infrastructure and the right design can prevent this type of dangerous and costly occurrence and enhance security by:
- Reducing the attack surface
- Preventing lateral movement
- Concealing the core infrastructure
- Eliminating back door entry points
- Enabling complete isolation of critical devices and control systems
- Ensuring that your next-generation firewalls and threat protection systems are being used most efficiently
Extreme Fabric Connect offers immense value in providing an inherently-secure network. In fact, throughout multiple public hack-a-thons, it has proven impenetrable.
Here are a few ways Fabric Connect helps improve an organization’s overall security posture:
Reduced attack surface and prevention of lateral movements with scalable network segmentation
According to Rob Joyce of the NSA, “A well-segmented network means that if a breach occurs, it can be contained… the difference between a contained and uncontained breach is the difference between an incident and a catastrophe.”
In the example of the breached ultrasound, had the network been segmented, the hackers would have been contained to their point of entry. They wouldn’t have had any visibility to the ultrasound machines connected to the network and the ransomware attack would have been avoided.
Having originated in the service provider space, Fabric Connect enables network segments to be deployed with massive scale. An addressing hierarchy is used to provide a clear separation between the user services or segments and the underlying network infrastructure.
With Fabric Connect, user traffic is encapsulated at the edge so that it is completely invisible to the network core. Services or segments are also completely isolated from one another. They run as ships passing in the night, without any awareness of each other, and without allowing any access in or out, unless otherwise configured through strictly-controlled access points. This ensures that if there is a breach, it is contained within the segment where it occurred – minimizing potential damage.
Concealment of the core infrastructure
Since the core technology behind Fabric Connect is based on Ethernet Switched Paths (as opposed to IP), it is impervious to commonly-used IP scanning and hacking tools that hackers use to discover the network topology. Anyone running an IP scan against a Fabric Connect environment would simply get a list of IP subnets all showing just a single hop to the egress of the network. Everything in between is “dark.” This inability to discover the topology of the network makes it nearly impossible for hackers to laterally move to sensitive areas of the network.
Network administrators, however, have full visibility and control of the topology of the network. When combined with telemetry and analytics capabilities, visibility can even extend to application flow data and detailed packet analysis.
Removal of residual configuration at the edge
One of the main values of Fabric Connect is that it can dynamically establish secure segments at the network edge as authenticated users and devices connect. Segments are elastic in nature, extending and retracting as authenticated users and devices connect and disconnect from the network. When a user disconnects from a switch port and access to the segment is no longer required, the residual configuration is automatically deleted on the edge switches. This not only removes the delays and risks associated with manually-configured conventional networks, but it also eliminates the risk of a back-door entry point to the network.
Complete isolation for critical devices and control systems
The most stealth network segment in a Fabric Connect network is a Layer 2 segment, where absolutely no IP interface has been defined. IP can still run ‘inside’ the L2 segment, but the segment itself is a totally-closed environment where nothing can enter or exit unless otherwise provisioned. This type of service is useful for protocols that are used for control and management of security-critical infrastructure such as power grids, subways, and trains, as well as production and manufacturing floors, where providing a closed environment, is critical.
Efficient deployment of security solutions
Some organizations rely on firewalls to segment the network. Over time this approach can lead to high CAPEX and OPEX costs. With Fabric Connect, the network is simple to segment and easy to manage, so firewalls can be used much more efficiently at demarcation points.
Threat protection agents can be strategically deployed at the ingress and egress of the network segments to watch for abnormal data moving in and out of segments. Policy servers can control access to network segments and ensure users and devices are properly authenticated and have the credentials needed to gain access to a specific segment.
The bottom line is that with the right design, the network can be an active participant in protecting organizations from catastrophic “headline-making” attacks. The time has come to turn over a portion of that security budget to the network.
Originally published on the Extreme Network Blog, April 8, 2019, by Camille Campbell
